Someone told me that I can store MySQL passwords in a plain-text file in the web root, all I have to do is to give it a name starting with .ht (other than .htaccess). Is it so?
Asked
Active
Viewed 650 times
1
imustafin
- 113
- 4
-
Are you asking about the file called ".htaccess" or about renaming an already existing file by adding ".ht" to the front? – BillyNair Sep 06 '14 at 11:35
-
Renaming an existing file. – imustafin Sep 06 '14 at 11:40
-
Well, try it out I'd say! – William Sep 06 '14 at 14:12
1 Answers
4
That would depend on your webserver configuration. Many webservers do come configured that way.
Here is a snippet from /etc/apache2/apache2.conf on my Ubuntu Linux webserver:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
Your webserver would have to have similar configuration installed to deny acces to files that start with .ht.
I would recommend storing sensitive data outside the web root. That way you don't have to rely on the web server configuration to protect it.
If you have to have it in the web root, naming it to start with .ht could work. You could also add your own FilesMatch directive to your .htaccess file to disallow access to any file name you choose.
Stephen Ostermiller
- 98,758
- 18
- 137
- 361
-
Any file beginning with . should be unavailable through Apache- that is, any web based request should fail- while remaining available to Apache if required. At least that was the case in earlier versions. I echo the advice that any sensitive data be kept out of the web space and protected with file level permissions. Any hacked web application would be able to read these files and extremely often there are hacks looking for these files in a serial fashion. – closetnoc Sep 06 '14 at 15:09
-
Well yes. I know about storing files outside web root, but sometimes I have to use free or very cheap hostings without access to web root's parent dirs. – imustafin Sep 06 '14 at 18:18